Link to home
Start Free TrialLog in
Avatar of RhoSysAdmin
RhoSysAdminFlag for United States of America

asked on

Concerns if raising functional levels for domain/forest that includes RODC in DMZ?

We want to raise the functional levels for our current single domain forest now that all DC's are running 2008 R2 or higher.  My only concern is a new RODC we added in an isolated subnet that can only talk to one of my DC's (and it's not the one that's the FSMO role holder). We have a small network, so all the FSMO roles are one our one primary DC.

We have a colocation facility that has another DC that's where the RODC is located. communication to the RODC is restricted to just this "colo" DC.

Will I have any issues with my RODC if I raise the domain and forest functional levels from my primary DC in our main office?

I ask b/c I see repadmin errors (error 58)  when running repadmin from my primary DC b/c it cannot see the RODC.

Any advice is greatly appreciated!
Avatar of Mal Osborne
Mal Osborne
Flag of Australia image

Are you raising the domain and forrest functional levels from 2008 to 2008R2? If so, you have the option of rolling back if there are problmes. (assuming the AD recycle bin has not been enabled)
You can raise functional levels without issue. Unrelated though, you should adjust your topology aomeach DC accurately knows which others it can reach.
ASKER CERTIFIED SOLUTION
Avatar of Antzs
Antzs
Flag of Malaysia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of RhoSysAdmin

ASKER

When I run "repadmin /showrepl *" from my colo DC (which is the only DC allowed to talk to the RODC - which lives in a DMZ), I don't see any errors.

I configured the sites and site links so the DMZ'd RODC will only talk to the COLO'd DC.  It was by design.  There are firewalls in place to further protect this arrangement.

I'm don't know why the "repadmin /showrepl *" tries to check against the RODC when run from my main office site. Should I use a different syntax?
* means all DCs